1. Field of the Invention
The present invention relates to a method, system, and computer program product for identifying files that are found during a malware scan by using a remote database of known files, thus enabling identified files to be excluded from further analysis.
2. Description of the Related Art
As the popularity of the Internet has grown, the proliferation of computer viruses and other malware has become more common. A malware is a program or piece of code that is loaded onto a computer without the knowledge or consent of the computer operator. A computer virus is malware that replicates itself and often loads copies of itself onto other connected computers. Ways in which viruses and other malware proliferate include loading themselves into a computer along with a Web page that a user of the computer has selected, activating and loading themselves into a computer when a user opens an E-mail attachment, loading themselves into a computer by exploiting a vulnerability (e.g. a buffer overflow) in system software, etc. etc. Once the virus has been loaded onto the computer, it is activated and may proliferate further and/or damage the computer or other computers.
Along with the proliferation of computer viruses and other malware has come a proliferation of software to detect and remove such viruses and other malware. This software is generically known as anti-virus software or programs. In order to detect a virus or other malicious program, an anti-virus program typically scans files stored on disk in a computer system and/or data that is being transferred or downloaded to a computer system and compares the data being scanned with profiles that identify various kinds of malware. The anti-virus program may then take corrective action, such as notifying a user or administrator of the computer system of the virus, isolating the file or data, deleting the file or data, etc.
Quite often a user may suspect that a computer has been infected with some new malware which is not yet detected by anti-malware products. In such cases an investigation of the user's system is necessary. This process can be automated: the usual files of interest include running processes with all their modules, services, browser helper objects, downloaded program files, processes that own opened sockets, applications launched through the Run keys in the Registry, etc. There are numerous tools available that do this kind of information gathering. The problem is that on a typical system such a tool may find hundreds or thousands of files (applications, DLLs, drivers, ActiveX controls, etc.) that may require further analysis. However, the great majority of these files are included in legitimate software that has been installed on the computer. These legitimate files do not need to be further analyzed and should be excluded from further examination. However, the legitimate files that are included with legitimate software change as new versions of the software are released, updates are installed, etc.
A need arises for a technique by which files that are found during a malware scan can be identified and thus excluded from further analysis.